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Maintenance  Testing  for 
the  Data  Encryption  Standard 

Jason  Gait 


This  publication  describes  the  design  of  four 
maintenance  tests  for  the  Federal  Inforination  Pro- 
cessing Data  Encryption  Standard  (DES)  .  The  tests 
consist  of  an  iterative  procedure  that  tests  the 
operation  of  DES  devices  by  using  a  small  program 
and  minimum  data.  The  tests  are  designed  to  be 
independent  of  implementation  and  to  be  fast 
enough  to  test  devices  during  actual  operation. 
The  tests  are  defined  as  four  specific  stopping 
points  in  a  general  testing  process  and  satisfy 
four  testing  requirements  of  increasing  degree  of 
completeness  depending  on  the  thoroughness  of 
testing  desired. 


Key  words:  Communications  security;  computer 
security;  cryptography;  data  encryption  standard; 
in-service  testing;  maintenance  tests;  Monte-Carlo 
testing;   stuck-fault  testing;   test  cases. 


1.  INTRODUCTION 


The  Federal  Information  Processing  Data  Encryption 
Standard  (DES)  is  the  standard  cryptographic  algorithm  for 
use  within  the  Federal  Government  for  protecting  non- 
classified transmission  and  storage  of  computer  data.  The 
DES  algorithm  is  normally  implemented  in  hardware  and  com- 
mercial DES  devices  are  presently  available  from  eight  dif- 
ferent sources.  The  National  Bureau  of  Standards  has  vali- 
dated the  designs  of  the  various  hardware  implementations 
with  a  validation  test,  i.  e.,  a  collection  of  input-key- 
output  triplets  which,  when  applied  as  a  test  to  a  device, 
and  if  successfully  executed,  insures  that  the  device  being 
tested  in  fact  correctly  executes  the  DES  algorithm.  A 
Monte-Carlo  test  using  random  data  is  also  a  part  of  this 
test  [8], 


A  small  maintenance  test,  residing  in  read  only  memory 
and  executed  by  the  same  microprocessor  that  controls  the 
DES  device  provides  a  means  of  testing  the  operation  of  the 
DES  hardware  in  the  field.  Since  one  criterion  for  a  field 
test  is  that  it  be  economical,  the  tests  are  designed  so 
that  only  a  partial  test  may  be  needed  in  a  given  applica- 
tion. The  test  is  so  designed  that  a  full  functional  test 
can  be  executed  if  it  is  convenient  and  desirable  to  do  so. 

The  maintenance  test  provides  results  which  are  a  com- 
bination of  the  validation  test  and  of  the  Monte-Carlo  test 
described  in  [8].  The  maintenance  test  uses  an  initial 
fixed  input-key  pair  and  the  resulting  ciphertext  is  then 
fed  back  as  input  or  as  key,  as  in  the  Monte-Carlo  test,  and 
this  cycling  process  is  repeated.  By  simply  checking  the 
output  of  this  process  against  four  known  results  the  test 
determines  if  the  DES  algorithm  is  properly  functioning.  A 
maximum  of  192  cycles  has  been  determined  to  test  completely 
the  DES  device  but  three  earlier  check  points  are  defined 
which  result  in  specific  partial  tests.  In  all,  four  ca- 
tegories of  tests  have  been  defined.  They  range  from  a  sim- 
ple test  for  stuck-faults  of  the  54  output  bits  of  the  DES 
to  a  complete  functional  test. 


1.1     Validation  vs  Maintenance  Testing 

The  maintenance  tests  described  here  replicate  the 
functionality  of  both  the  validation  test  and  the  Monte- 
Carlo  test  procedure  used  to  validate  implementations  of  the 
DES  [8,9].  In  fact,  by  taking  advantage  of  the  pseudo- 
random nature  of  the  DES  output,  we  are  able  to  describe  a 
smaller,  more  efficient  test  procedure  that  is  equivalent  to 
the  test  previously  described  in  [8],  although  the  extensive 
Monte-Carlo  test  is  not  reproduced. 
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1.2    The  Maintenance  Tests 


The  maintenance  tests  depend  only  on  the  functionality 
of  the  algorithm  and  not  on  any  particular  implementation. 
The  tests  can  be  performed  with  a  short  program  whose  two 
inputs  consist  of  an  initial  plaintext  and  an  initial  key 
and  whose  output  is  a  final  ciphertext.  Tlie  test  program 
creates  a  cycling  process  that  tests  the  complete  func- 
tionality of  the  DES  algorithm  as  well  as  testing  for 
stuck-at-one  and  stuck-at-zero  faults  at  the  various  input 
and  output  interfaces.  Stuck-at-one  or  stuck-at-zero  faults 
occur  due  to  a  circuit  failure,  e.  g.,  an  open  circuit.  The 
device  is  known  to  be  performing  correctly  if  the  observed 
final  ciphertext  matches  the  expected  result.  The  cycling 
process  consists  of  a  maximum  of  192  enc ipherments  and  deci- 
pherments intermixed  in  such  a  way  as  to  test  all  aspects  of 
the  algorithm.  The  execution  of  the  test  program  requires 
little  tine  and  hence  the  test  can  be  used  on-line  to  exam- 
ine the  functionality  of  a  device  in-service  as  well  as  for 
other  testing  purposes. 

The  complete  test  is  determined  by  the  following  re- 
currence relation: 


where  K .  ,  and  C^^  denote  key,  input  and  output  at  time  n, 
with  the  value  of  i  determined  from  the  equation  i  = 
3(n-l)+l  for  n=l,2,3,...,  TESTLENGTH.  Here  the  symbol  E 
denotes  the  DES  encryption  operation  and  D  denotes  the  DES 
decryption  operation.  The  initial  values  of  key  and  plain- 
text, K,  and  P,,  are  64  bit  numbers  represented  in  hexade- 
cimal notation  with  correct  parity  for  each  8-bit  byte  of 
the  key. 

The  test  can  be  used  in  any  of  four  modes  depending  on 
the  degree  of  certainty  required  and  the  time  available  to 
perform  the  test.  In  each  of  the  four  modes  only  the  final 
ciphertext    differs,     initial     plaintext     and  key  remain  the 


5555555555555555 
FFFFFFFFFFFFFFFF 
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same. 


Test  1:  Tests  all  output  bits  for  stuck-at-one  and  stuck- 
at-zero  faults;  the  P  and  E  matrices  used  by  the  DES  algo- 
rithm are  also  tested. 


Test  2:  Includes  Test  1,  tests  the  S-boxes  and  includes  a 
test  for  stuck-faults  at  all  the  key  and  input  bits  except 
one  input  bit. 


Test  3:  Includes  Test  2,  a  complete  test  for  stuck-faults 
and  a  test  of  the  IP  matrix. 

Test  4:     Tests  all  aspects  of  the  algorithm. 


The  following  table  provides  a  concise  display  of  the 
various  tests,  the  number  of  iterations  required  for  each 
test,  the  number  of  encryption  or  decryption  operations  per- 
formed during  each  test,  the  final  output  for  each  test  and 
the  specific  properties  of  the  DES  algorithm  that  are  tested 
during  each  test. 
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Table  1.  Properties  of  the  Four  Maintenance  Tests 


testl 


test2 


test  3 


test4 


iterations 


64 


enc/dec  ops 


final  output  BF1FF37B 

C46CC2CA 


18 


1DFCF1C8 
44E84A9B 


24 


00B82CBB 
E58DBB9F 


192 


246E9DB9 
C550381A 


props  tested        output  stuck        test  1  and  test  2  and  complete 

1  faults,   P,   E        S-boxes  input  stuck  test 

faults 
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1.3     The  Values  for  the  Parameters  of  the  Test 

The  efficacy  of  the  testing  procedure  depends  largely 
on  the  effectiveness  of  the  DES  as  a  pseudo- random  number 
generator  [5].  The  number  of  iterations  needed  to  satisfy 
each  test  requirement  could  not  be  determined  in  advance. 
However  an  upper-bound  value  for  TESTLENGTH  was  determined 
from  a  Markov  chain  model  of  the  full  testing  procedure.  The 
results  were  that  if  pseudo-random  input  vectors  are 
presented  to  a  linear  device  with  n  inputs,  then  the  expect- 
ed number  of  tests  required  to  test  completely  the  device 
for  sufficiently  large  n  is  approximately  n+2.  Since  n  is 
the  minimum  number  required,  the  distribution  has  a  very 
small  standard  deviation.  Hence  we  need  to  examine  at  most 
n+3  or  n+4  pseudo-random  input  vectors  to  be  sure  of  obtain- 
ing a  maximal  linearly  independent  set  (=basis)  of  appropri- 
ate dimension.  See  Appendix  C  for  the  details  of  the  calcu- 
lation. 


2.     DESCRIPTION  OF  THE  DES  ALGORITHM 


The  Federal  Information  Processing  Data  Encryption 
Standard  published  on  January  15,  1977  [3]  is  a  complex 
non-linesr  ciphering  algorithm  that  was  designed  for  effi- 
cient hardware  implementation.  Although  there  are  software 
implementations,  they  do  not  comply  with  the  standard  and 
are  generally  quite  inefficient  compared  to  hardware  ver- 
sions [6],  The  DES  algorithm  operates  on  64  bits  of  input 
to  produce  54  bits  of  output  under  the  action  of  a  56-bit 
keying  parameter.  With  the  exception  of  initial  and  final 
permutations,  the  algorithm  is  a  series  connection  of  six- 
teen rounds.  Each  round  uses  48  bits  of  the  key  in  a  se- 
quence determined  by  a  key  schedule.  With  the  exception  of 
this  difference  in  the  round  keys,  the  sixteen  rounds  are 
identical  to  one  another.  Each  round  receives  an  input  of 
64  bits;  the  32-bit  right  half  is  expanded  by  the  linear 
operator  E  to  48  bits  and  the  result  is  mod  2  added  to  the 
round  key;  the  48  bit  sum  is  divided  into  eight  6-bit 
blocks,  each  of  which  determines  a  4-bit  S-box  entry;  the 
resulting  32  bits  are  added  mod  2  to  the  left  half  and  the 
two  halves  are  interchanged,  thus  producing  64  bits  of  out- 
put for  the  round.  Sixteen  rounds  connected  in  series,  each 
using  a  different  round  key  as  determined  by  the  key 
schedule,  together  with  initial  and  final  permutations  make 
up  the  DES  algorithm.  Despite  its  complexity  the  DES  is  ca- 
pable of  operating  at  high  speed  when  implemented  in 
hardware.     For     example,     an  encryption  or  decryption  of  one 


64-bit  block  on  the  NBS  DES  unit  takes  9  nicroseconds .  Ap- 
pendix A  contains  a  complete  functional  description  of  the 
DES  algorithm  parameters,  i.  e.,  permutations,  S-boxes  and 
key  schedule. 


2.1     The  Permutations  and  E  Operator 

The  role  of  the  permutation  P  is  to  mix  thoroughly  the 
data  bits.  The  operator  E  expands  its  32  bit  input  to . a  48 
bit  output  that  is  added  mod  2  to  the  round  key.  The  permu- 
tations in  the  key-schedule,  PCI  and  PC2,  intermix  the  key 
bits  among  the  round  keys  in  such  a  way  as  to  equalize  key- 
bit  utilization.  No  key  bit  is  used  more  than  15  tines  nor 
less  th^n  12  times.  The  initial  and  final  permutations,  IP 
and  IP  ,  are  byte  oriented  for  efficient  hardware  implemen- 
tation . 

Each  permutation  is  a  linear  operator,  and  so  can  be 
thought  of  as  an  n  x  m  matrix  and  can  be  validated  complete- 
ly if  it  operates  correctly  on  an  appropriate  maximal 
linearly  independent  set  of  input  vectors,  i.  e.,  a  suitable 
basis. 


2.2     The  S-boxes 

The  non-linear  substitution  tables,  or  S-boxes,  con- 
stitute an  important  part  of  the  algorithm.  The  purpose  of 
the  S-boxes  is  to  ensure  that  the  algorithm  is  not  linear 
[1,2].  Each  of  the  eight  S-boxes  contains  64  entries,  organ- 
ized as  a  4x16  matrix.  Each  entry  is  a  four  bit  binary 
number,  represented  as  0-15,  so  the  output  of  the  parallel 
connection  of  eight  S-boxes  is  32  bits.  A  particular  entry 
in  a  single  S-box  is  selected  by  six  bits,  two  of  which 
select  a  row  and  four  select  a  column.  The  entry  in  the 
corresponding  row  and  column  is  the  output  for  that  input. 
Each  row  in  each  S-box  is  a  permutation  of  the  numbers  0-15, 
so  no  entry  is  repeated   in  any  one  row. 
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2.3     The  Key  Schedule 


The  purpose  of  the  key  schedule  is  to  provide  a 
thorough  intermixing  of  the  key  bits  for  the  algorithm.  The 
key  schedule  is  linear,  so  its  implementation  can  be  veri- 
fied by  presenting  56  basis  vectors  (=  a  maximal  linearly 
independent  set  for  this  operator)  as  keys.  The  encryption 
process  uses  left  shifts  in  the  key  schedule  while  decryp- 
tion uses  right  shifts,  so  an  additional  56  decryptions  are 
required  for  testing.  The  key  schedule  is  extremely  impor- 
tant to  the  security  of  the  algorithm:  it  has  been  shown  [4] 
that  similar  algorithms  without  similar  key  schedules  may  be 
substantially  weaker  even  if  they  have  much  larger  keys. 


2.4     Maintaining  the  Correctness  of  DES  Devices 

The  test  program  verifies  the  correct  operation  of  an 
implementation  by  performing  one  of  several  optional  series 
of  tests  on  the  device  during  operation.  The  pseudo-random 
tests  have  been  examined  to  be  sure  that  a  basis  of  vectors 
is  presented  to  each  of  the  matrix  operators  in  the  algo- 
rithm, thus  verifying  their  correct  implementation  as  linear 
operators,  and  to  exercise  every  element  in  each  S-box. 


2.4.1  DES  Tests.  The  tests  are  designed  to  assure  the 
correctness  of  each  of  the  following  components  of  the  algo- 
rithm  (see  Appendix  A): 


1.  Initial  permutation,  IP_-, 

2.  Inverse  permutation,  IP 

3.  Expansion  matrix,  E 

4.  Data  Permutation,  P 

5.  Key  Permutation,  PCI 

6.  Key  Permutation,  PC2 

7.  Substitution  tables:   S,,   S^,...,  S 

8.  Mod  2  adders 


In  addition  the  tests  protect 
stuck-faults  at  the  interfaces 
ments  as  well  as  at  the  input, 
self . 


against  the  possibility  of 
between  any  of  the  above  ele- 
key  and  output  of  the  DES  i t- 
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2.4.2  Relationship  to  Validation  Tests.  The  NBS  validation 
test  of  DES  devices  consists  of  operating  on  a  sequence  of 
discrete  input-key-output  triples.  The  input  and  key  are  en- 
tered into  the  DES  device,  an  encryption  or  decryption 
operation  is  performed  and  the  result  is  compared  with  the 
known  correct  output.  Each  linear  aspect  of  the  DES  algo- 
rithm, e.  g.,  P,  E,  and  so  forth,  is  tested  independently  by 
presenting  to  it  a  standard  unit  basis  to  be  operated  on. 
The  maintenance  test  performs  an  equivalent  test  by  relying 
on  the  pseudo-random  nature  of  the  DES  algorithm  to  present 
a  basis,  but  not  necessarily  the  standard  unit  basis,  to 
each  linear  element  of  the  algorithm,  thereby  insuring  that 
they  are  tested  completely.  The  maintenance  test  is  set  up 
in  such  a  way  that  various  aspects  of  the  algorithm  are 
tested  simultaneously  and  the  tester  does  not  receive  the 
information  provided  by  the  validation  test  regarding  the 
location  of  a  failure.  However  the  purpose  of  these  tests  is 
simply  to  verify  that  the  DES  device  is  working  correctly 
rather  than  to  isolate  the  location  of  failures. 


3.      TESTIIvlG  PHILOSOPHY 


The  DES  has  been  implemented  by  many  vendors  using 
many  different  techniques.  To  be  most  useful  a  test  for  the 
DES  should  be  applicable  to  all  DES  devices  without  regard 
to  implementation.  The  maintenance  tests  are  therefore 
designed  only  to  test  the  functionality  of  the  algorithm  it- 
self at  the  well  defined  interfaces,  such  as  input,  key  and 
output.  While  the  NBS  validation  test  could  be  used  for 
maintenance,  it  does  not  meet  the  desirable  criterion  of  a 
maintenance  test  for  minimizing  the  amount  of  data  stored. 
It  was  also  desired  to  minimize  the  total  number  of  enci- 
pherments  and  decipherments  during  the  test  to  make  the  test 
more  practical  in  an  on-line  environment  during  intervals 
between  transmissions. 

3.1     Stuck-faults  in  Cipher  Feedback  Mode 

One  of  the  modes  of  operation  of  the  DES  is  cipher 
feedback,  where  the  output  of  the  DES  is  added  mod  2  to  the 
plaintext  to  produce  ciphertext.  If  the  output  of  the  DES  is 
subject  to  stuck-faults,  either  at  one  or  at  zero,  then  some 
part  of  the  plaintext,  or  its  complement,  is  being  transmit- 
ted in  the  clear.  It  is  therefore  desirable  that  the  device 
be  tested  for  stuck-faults,  preferably  during  all  encipher- 
ment  operations,  while  being  used   in  cipher  feedback  mode. 
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3.2    Generating  the  Pseudo- random  Tests 

Since  the  DES  is  known  to  be  a  good  pseudo- random 
number  generator  [5],  the  maintenance  test  was  designed  to 
use  the  output  of  the  DES  fed  back  as  data  or  as  key-text 
alternatively.  Both  encryption  and  decryption  operations  are 
used  in  order  to  exercise  all  parts  of  the  algorithm.  When 
all  the  cycles  of  each  test  have  been  completed,  the  final 
output  is  compared  with  a  single  stored  value.  If  the  two 
values  are  the  same,  then  the  device  has  passed  the  test, 
otherwise  the  device  should  be  rendered  inoperable. 


The  follov/ing  program  is  used  to  do  this: 


key  =  5555555555555555 
input  =  FFFFFFFFFFFFFFFF 
for(n=l;   n<TESTLENGTH ;  n=n+l){ 

crypt('e*,  key,  output,  input) 

input  =  output 

crypt('e',  key,  output,  input) 
key  =  output 

crypt('d',  key,  output,  input) 
key  =  output 

} 

if  (output  ==LASTCIPHER)OK 
else  NG 


The  64  bit  starting  values  for  key  and  input  are 
represented  in  hexadecii!ial  notation.  The  value  of 
TESTLENGTH,  either  3,  6,  8  or  54,  is  user  supplied  and  is 
determined  according  to  the  degree  of  completeness  of  test- 
ing desired.  The  value  of  L^STCIPHER  is  as  listed  in  Table  1 
for  the  appropriate  number  of  iterations.  The  values  of 
TESTLKTslGTH  and  LA5TCIPHER  are  set  according  to  which  test  is 
desi  red , 


The  following   list  specifies  the  values     of  TESTLENGTH 
and  LASTCIPHER  for  each  of  the  four   testing  modes  described. 
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Test  1  Parameters:   TESTLENGTH  =  3 

LASTCIPHER  =  BF1FF37BC46CC2CA 


Test  2  Paraneters:   TESTLENGTH  =  6 

LASTCIPHER  =  1DFCF1C844E84A9B 


Test  3  Parameters:  TESTLENGTH  =  8 

LASTCIPHER  =  00B82CBBE58DBB9F 


Test  4  Parameters:  TESTLENGTH  =  64 

LASTCIPHER  =  2 4 6E 9D89C 550 38 lA 


3.3    Description  of  Tests 

Test  1  uses  three  cycles  of  the  program,  corresponding 
to  nine  encryptions  or  decryptions.  Test  1  is  useful  as  a 
maintenance  test  for  the  DES  when  used  in  cipher  feedback 
mode  to  ensure  that  no  stuck-faults  in  the  output  will  ex- 
pose plaintext.  It  is  a  short  test  and  can  be  practically 
executed  on-line  between  transmissions.  Note  that  for  this 
test  each  bit  of  the  output  is  both  zero  and  one  at  least 
once. 


Test  2  uses  six  cycles,  corresponding  to  eighteen  enci- 
pherments  or  decipherments,  which  are  enough  to  test  com- 
pletely the  S-boxes,  the  P  and  E  matrices,  all  outputs  for 
stuck  faults  and  almost  all  inputs  for  stuck-faults  (plain- 
text bit  54  is  stuck-at-one  throughout  this  part  of  the 
test).  Two  more  cycles,  actually  five  more  operations,  are 
required  to  unstick  data  bit  54,  and  carry  out  test  3.  Test 
3  tests  for  stuck-faults  at  the  input  and  output  of  every 
algorithm  element,  i.  e.,  IP,  P,  E,  IP~  ,  PCI,  PC2,  the  S- 
boxes,  the  sliifts  in  the  key-schedule  and  the  inputs  and 
outputs  of  the  mod  2  adders. 


Test  4  is  a  complete  test  of  the  functionality  of  the 
algorithm.  The  verification  of  both  tests  2  and  4  requires 
examination  of  the  inputs  to  each  of  the  linear  elements  of 
the  algorithm  to  ensure  that  a  basis,  i.  e.,  a  maximal 
linearly  independent  set  of  vectors  of  appropriate  dimen- 
sion, is  presented  to  each,  thus  ensuring  that  all  matrix 
entries     are     fully     exercised.     The     DES     validation  test 
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presents  standard  unit  basis  vectors  to  these  linear  ele- 
ments, while  the  maintenance  test  presents  random  inputs. 
Thus  the  inputs  have  been  checked,  not  for  the  standard  unit 
basis,  for  which  we  would  have  to  wait  a  long  time,  but  for 
any  basis  of  the  proper  dimension.  This  is  equivalent  to  the 
standard  unit  basis  in  terms  of  testing  linear  elements.  A 
variant  of  the  Gram-Schmidt  orthogonal ization  process  was 
used  to  do  this,  as  described  in  Appendix  B.  The  applica- 
tion of  this  process  shows  that  the  first  32  vectors  applied 
to  P  are  linearly  independent,  thus  testing  P  completely; 
this  corresponds  to  just  two  encipherments ,  since  P  is  used 
16  times  during  each  encryption  or  decryption  operation,  or 
one  cycle  of  the  program.  Similarly,  the  first  34  vectors 
applied  to  E  contain  a  maximal  linearly  independent  set  (the 
17th  and  33rd  vectors  are  dependent  on  the  others) ;  again 
the  first  cycle  of  the  program  suffices  to  test  E.  Hence 
test  set  1  for  stuck-f aul ts  tests  P  and  E  as  well. 

The  first  66  encipherments,  corresponding  to  22  cycles 
of  the  program,  test  completely  IP  ;  the  first  87  encipher- 
ments, corresponding  to  29  program  cycles,  test  the  entire 
key  schedule  for  both  encipherment  and  decipherment;  and  64 
complete  cycles  are  required  to  test  IP.  It  is  this  re- 
quirement of  testing  the  initial  permutation  that  fixes  the 
value  of  TESTLENGTH  for  test  4  at  64,  or  192  encipherments 
or  decipherments. 


4.      SUMMARY  AND  CONCLUSIONS 


A  variety  of  maintenance  tests  for  DES  devices  in  the 
field  have  been  described,  ranging  from  testing  for  stuck- 
faults  in  the  output  to  a  full  test  of  the  DES  device.  The 
tests  are  simple  and  efficient  and  can  be  executed  from  a 
siaall  ROM  program  on-board  with  the  DES.  Recommended  testing 
environments  include: 


1.  manufacturer's  assembly-line  checkout  for  DES  devices, 

2.  user  acceptance  test  for  newly  acquired  and  recently 
repaired  devices, 

3.  field-maintenance  service  testing,  and 
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4.  in-service  testing  of  DES  devices  to  maintain  the  in- 
tegrity of  the  encryption  system. 


Users  of  DES  devices  can  choose  one  of  the  four  tests 
described,  depending  on  their  evaluation  of  which  test  is 
most  convenient  and  meaningful  in  the  given  operational  en- 
vironment. However  test  4,  the  complete  functionality  test, 
encompasses  all  the  other  tests  and  is  hence  the  best  test 
to  use  whenever  practicable. 

During  each  test  there  is  no  verification  of  intermedi- 
ate values,  just  a  check  of  the  final  output  for  correct- 
ness. Thus  there  is  a  possibility  for  uncDetec  ted ,  self- 
cancelling  double  errors  that  these  tests  are  not  designed 
to  detect.  Many  such  errors  will  be  detected  if  they  occur 
in  different  functional  units  of  the  DES,  but  the  user  of 
these  tests  should  be  alert  to  the  possibility,  however  re- 
mote, that  such  errors  might  not  be  detected. 
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5.     Appendix  A:  The  DES  Algorithm  Specification 


For  the  convenience  of  the  reader,  this  appendix  con- 
tains a  complete  specification  of  the  parameters  involved  in 
the  definition  of  the  DES  algorithm. 

The  DES  acts  on  a  64  bit  block  of  plaintext,  which  is 
first  permuted  by  IP: 


IP 


(e.  g 

two  is  bit  50,  etc.) 


58 

50 

42 

34 

26 

18 

10 

2 

60 

52 

44 

36 

28 

20 
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4 

62 

54 

46 

38 

30 

22 

14 

6 

64 

56 

48 

40 

32 

24 

16 

8 

57 

49 

41 

33 

25 

17 

9 

1 

59 

51 

43 

35 

27 

19 

11 

3 

61 

53 

45 

37 

29 

21 

13 

5 

63 

55 

47 

39 

31 

23 

15 

7 

of 

the 

output 

is 

bit 

58 

The  result  is  separated  into  two  32  bit  registers,  L  and  R, 
and  then  passed  through  the  sixteen  rounds.  The  final  64  bit 
result  is  operated  on  by  the  inverse  of  IP,   IP~  : 
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55 

23 

63 
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38 
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46 

14 

54 
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30 

37 
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45 

13 

53 

21 

61 

29 

36 

4 

44 

12 

52 

20 

60 

28 

35 

3 

43 

11 

51 

19 

59 

27 

34 
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42 

10 

50 

18 

58 

26 

33 

1 

41 

9 

49 

17 

57 

25 

The  round  keys  K  are  determined  by  the  key  schedule.  There 
are  three  parameters  to  be  specified,  PCI,   PC2  and  the  shift 
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schedul e : 


PCI 
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33 
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and  the  shift  schedule  is: 
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Iteration 


Number  of  shifts 
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For  a  single  round  the  expansion  operator  E  and  the  permuta- 
tion P  need  to  be  specified: 

\ 

E 
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25 
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There  renain  only  the  S-boxes: 
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The  reader  is  referred  to   [3]    for  the  official  specifi 
cation  of  these  parameters. 
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6.     Appendix  B:  The  Gram-Schmidt  Algorithm 


Given  an  arbitrary  set  k^^,  ^3,...     of  n-d imensional 

vectors,  we  will  construct  a  maximal  linearly-independent 
subset  of  vectors  using  the  Gram-Gchmidt  process.  The  method 
is  to  assume  that  the  vectors  are  linearly  independent 
and  to  use  the  Gram-Schmidt  process  to  construct  an  orthogo- 
nal set  as  follows.  We  will  use  the  notation  <xl  for  a  row 
vector  and  I x>  for  a  column  vector,  <x|y>  for  inner  product 
and    |x|    for  the  norm  of  a  vector.  Let 


^2  =  k2  -  <u-j^  I  k2>/  I  u-^  I  u^ 

2  2 
U3  =  k^  -  <Uj^  I  k3>/ I  u-|^  I  -  <U2lk3>/|u2l  U2 

u^  =.  .  . 

etc . 


If  at  any  stage  in  this  process  u^  is  equal  to  zero 
then  omit  k^  and  continue.  This  process  will  construct  a 
linearly  independent  subset  of  the  original  set,  which  may 
not  necessarily  be  maximal,  but  if  the  original  set  is  suf- 
ficiently large  the  process  will  terminate  after  n  vectors 
have  been  selected,  and  the  subset  is  thus  maximal. 


The  required  theorem  is  as  follows. 

Theorem,  u.  =  0  if  and  only  if  k.  is  dependent  on  the  k.  for 
j<i. 

Proof.  Suppose  u^  =  0,  then  k^^  is  a  linear  combination  of  u. 
for  j<i.  Since  each  u.  is  a  linear  combination  of  k^  for 
Kj,  we  have  that  k^   is  a  linear  combination  of  k.   for  3<i. 

Conversely,  if  k^  depends  on  the  k.  for  j<if  then  k^^ 
also  depends  on  the  u.  for  j<i.  Hence  each  <u.|k.>  is  the 
coefficient  of  u.  in  the  expansion  of  k^  in  the  vectors  u .  . 
Thus  the  sum  of  the  terms  subtracted  from  k^^  in  the  Gram- 
Schmidt  process  actually  equals  k. ,  so  u.   =  0. 
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In  this  form  the  Gram-Schmidt  test  is  used  to  ensure 
that  sufficiently  many  pseudo- random  vectors  have  been 
presented  to  each  linear  element  of  the  DES  to  guarantee 
complete  testing.  Appendix  C  addresses  the  question  of  how 
many  random  vectors  must  be  examined  on  the  average  in  order 
to  ensure  that  we  have  a  maximal  linearly  independent  set. 
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7.     Appendix  C:   Pseudo- random  Testing  of  Linear  Devices 


A  Markov-chain  model  is  used  to  compute  the  mean  and 
standard  deviation  of  the  number  of  pseudo- random  input  vec- 
tors that  must  be  presented  to  a  linear  device  to  ensure 
that  a  basis  has  been  presented  to  the  device,  thus  testing 
it  completely. 

The  first  block  of  input  may  be  either  a  zero  or  a 
non-zero  block.  In  the  second  case  the  block  will  be  in  the 
set,  while  in  the  first  we  repeat  until  we  obtain  a  non-zero 
block.  Once  we  have  a  non-zero  block,  we  repeat  until  we 
obtain  another  one,  in  which  case  we  have  two  vectors  in  the 
set.  However  we  may  also  obtain  the  Sr-ime  block  again,  or  the 
zero  block.  With  two  vectors  in  the  set  a  new  situation 
arises,  since  the  next  vector  may  be  zero,  or  a  repeat  of  a 
vector  already  in  the  set  or  a  new  vector  in  the  span  of 
those  already  in  the  set.  In  general,  a  k-d imens ional  prob- 
lem will  be  represented  by  a  k+1  state  Markov  chain.  This 
is  a  finite,  ergodic  absorbing  Markov  process,  so  must  ter- 
minate [7;  theorem  3.3.5],  hence,  in  due  course,  we  obtain  a 
basi  s . 

Theorem  1.  For  the  Markov  chain  described  above,  the  transi- 
tion probability  state  i  to  state  i  is 


Proof.  Let  N(i)  denote  the  number  of  vectors  not  in  the 
linearly  independent  set  and  not  zero,  but  in  the  span  of 
the  set.  It  suffices  to  show  that  N(i)  =  2^  -  i  -  1.  It's 
immediate  that 

N (i)   =  1  +  5UM( j  =  2,   i-1)    0  , 

where  ()  denotes  the  number  of  combinations  of  i  things  tak- 
en j  at  a  time,  and  the  argument  follows  by  induction  on  i. 
The  inductive  step  uses  the  additive  formula  [10; 
1. 2.6D  (9) ] . 


In  the  next  theorem  we  compute  the     mean     number  of 
transitions  for  this  Markov  chain     to  be  absorbed. 

Theorem  2.  The  expected  number  of  transitions  to  absorption 
for  the  above  Markov  chain  is,   for  k>l, 

E,^  =         +    [1/(2''  -  1)]   +  1, 
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where  S.    =  SUM(i=l,  k-l)[  2^  /(2^  -  1)]. 


Proof.  By  induction  on  k.     For  the  case  k=2,  we  have 

4/3  2 
0  2, 


(I-Q) 


-1 


so,  assuming  a  start  with  a  non-zero  element,  the  expected 
number  of  transitions  to  absorption  S.  is  the  sum  of  the 
last  row  of  the  fundamental  matrix,  or  z.  The  inductive 
step  follows  from  the  definition  of  the  Markov  chain.  Nov; 
E.  is  equal  to  one  for  the  first  state  plus  the  probability 
or  starting  without  a  non-zero  element  times  the  mean  number 
of  transitions  to  absorption  given  a  start  without  a  non- 
zero element  plus  the  probability  of  starting  with  a  non- 
zero element  tines  the  mean  number  of  transitions  given  a 
start  with  a  non-zero  element,  or 


^k  = 


S,^  +  [1/(2' 


-1)]   +  1, 


where  all  the  states  except  the  first  are  lumped  to 
two  state  Markov  chain  with  transition  matrix 


g  ive 


.k 


0. 


1-1/2'^  1/2' 


with  Q  =  1  -  1/2   ,   so  the  fundamental  matrix  is 
This  is  precisely  the  mean  number  of  transitions  required  to 
get  out  of  the  zero  state. 


2'^/(2'^-l) 


f o  rmul a . 


We  now  derive  an  asymptotic  estimate     to     the  above 


Theorem  4.  The  average  number  of  vectors  that  must  be  exam- 
ined to  obtain  a  basis  is  asymptotically  log  n  +  c  +  0(l/n), 
where  k  is  the  nufuber  of  non-zero  vectors  required  to  define 

c  is  a  constant. 


the  system,  n  =  2  and 


Proof.     Rewrite  S,  as 


S.    =  SUM(i  =  l,   k-l){l/[l-  (1/2^]}, 


to  see  that,  apart  from  the  first  few  terms,  each  new  term 
just  adds  one  as  k  increases,  so  asymptotically,  for  some 
constant  c,  we  have  S|^  =  c+k,  and  we  see  that  the  asymptotic 
value  =  log  n  +  c  +  0(l/n).  The  value  of  c  is  given  in 
[ 1 1 ; 5 . 2 . 3 (1 9 ) ] ,  the  computation  being  attributed  to  J.  W. 
Wrench,  as  approximately  1.606. 
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Hence  if  the  dimension  of  the  system  is  k,  we  need  to 
look  at  k+2  random  vectors  on  the  average  to  obtain  a  maxi- 
mal linearly  independent  set. 

We  now  compute  the  standard  deviation,  realizing  that 
the  difference  between  the  average  and  the  minimum  value  of 
the  parameter  is  just  1.606,  so  the  standard  deviation  must 
be  smaller  than  this.  Reference  to  [7;  theorem  3.3.5]  shows 
that  the  standard  deviation  is  approx inately  1.414  for  all 
values  of  k,  as  expected.  Thus  the  distribution  has  a  very 
small  variance  and  we  expect  to  examine  about  k+3  or  k+4 
vectors  to  obtain  a  k-d imens ional  basis  in  a  set  of  k- 
dimensional  random  vectors,  provided  the  dimension  k  is  suf- 
ficiently large. 
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